There is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used. A minimal POC follows: this.createEmptyMovieClip("mc", 1); mc.startDrag( true, {valueOf : func}, 1, 2, 3, 4); function func(){ mc.removeMovieClip(); // Fix heap here return 1; }
In pfsense <= 2.2.5 (Latest Version), during a security audit it was discovered that the files wizard.php?xml= and pkg.php?xml= are vulnerable to a file inclusion attack. Both of these files do not sanitize the path of the xml parameter and a special crafted xml file can be used to gain command execution. Visiting http://vulnhost/wizard.php?xml=../../../1.xml, where the 'xml' parameter is the path of the crafted file, will trigger the vulnerability.
A denial of service vulnerability exists in Apache 2.4.17 due to a preg_replace() function call that can be used to cause a segmentation fault. An attacker can exploit this vulnerability by sending a crafted request containing a specially crafted payload to the vulnerable server. This will cause the server to crash and become unavailable.
MS15-010/CVE-2015-0057 is a vulnerability in the win32k component of Windows 8.1 (x64) that allows an attacker to gain elevated privileges on the system. The vulnerability is caused by a race condition in the win32k.sys driver, which can be exploited to execute arbitrary code with elevated privileges.
This exploit allows an attacker to include a remote file on the web server. The vulnerability exists in the Ovidentia maillist 4.0 Module, specifically in the mlincl.php file. The attacker can use the GLOBALS[babInstallPath] parameter to inject a malicious file from a remote server. The malicious file is then executed on the web server.
Joomla 1.5 - 3.4.6 is vulnerable to an Object Injection Remote Code Execution (RCE) vulnerability. This vulnerability is due to the lack of input validation of the X-Forwarded-For header. An attacker can exploit this vulnerability by sending a maliciously crafted X-Forwarded-For header to the vulnerable server. This can allow an attacker to execute arbitrary code on the vulnerable server.
This PoC triggers a crash on Windows 7 32-bit with Special Pool enabled on win32k.sys. The kernel crashes due to a use-after-free condition with bitmaps in the clipboard. Multiple PoC executions and simulated system activity may be required to trigger this issue.
The attached PoC triggers a null pointer condition on Windows 7 32-bit, which can potentially be exploited on versions of Windows that allow mapping the null page (e.g. Windows 7 32-bit). Multiple PoC executions and simulated system activity (such as opening Explorer) may be required to trigger this issue.
The attached PoC triggers a null pointer vulnerability in OffsetChildren on Windows 7 32-bit. By mapping the null page an attacker can leverage this vulnerability to write to an arbitrary address.
There are a number of use-after-free vulnerabilities in MovieClip.beginGradientFill. If the spreadMethod or any other string parameter is an object with toString defined, this method can free the MovieClip, which is then used. Note that many parameters to this function can be used to execute script and free the MovieClip during execution, it is recommended that this issues be fixed with a stale pointer check.
Services By CQR